Organizational Resilience Q&A

Some interesting questions concerning the Organizational Resilience Webinar on 2016-10-17 with a total of over 50 participants; here are the answers.

BIA Q&A

Question

Answer

Can ISO 22316 be implemented in some organization instead of the 22301?

Certainly, this standard can be implemented independently from ISO 22301. However, we have to observe some circumstances: why ISO 22301 is assistant management standard, essentially a list of action items which has to be observed, ISO 22316 is the guidance standard, giving suggestions on how to approach the subject. Organizations can be certified against ISO 22301, but not against ISO 22316.
Also, we are somewhat comparing apples to oranges, if we both take standards in our hands and ask which one to implement. While ISO 22301 focuses on BCM (which is a wide-ranging subject), organizational resilience is even broader. Following this picture, and that tried to pointed out in my presentation, BCM is just a “slice” of organizational resilience.
Depending on the needs of the organization, you may very well start “implementing” ISO 22316, but you will very soon discover that an important pillar of organizational resilience is missing, if you do not implement ISO 22301 beforehand (or at least simultaneously).

Is it possible to get the power point by mail after the webinar?

The completed webinar is away level at these links: https://pecb.com/oldwebinar/organizational-resilience–how-iso-22316-provides-guidance-for-your-organization, the presentation is available at http://continuuuity.com/academy/.

Is it possible to come up with some indicative measure of resilience say, 50% rate? Many a times when one present the importance of BCMS, one cites business resilience and people often do not immediately follow as they want something tangible?

Measuring resilience is still a topic under discussion. As opposed to a BCMS, where compliance can objectively be measured with an audit, thing works are more complex with organizational resilience. The standard mentions – and we have discussed it during the webinar – principles, attributes and associated activities, plus a range of management disciplines. If we simplify matter, and only look at the management disciplines, we may obtain an indicative measure of resilience if we estimate how well these management disciplines are represented in a specific organization. If a number of these management disciplines are not observed in an organization (for example, information security management, BCM, risk management,…), this organization might not be particularly resilient. It can be easily be disrupted and may suffer serious consequences. If an organization is a very good at all of the management disciplines mentioned in the standard, and if this organization benefits from synergies between these management disciplines, it is well on the way to resilient organization.

Would organisation resilience still be effective if there is only commitment from certain parties? How to determine if there is holistic approach?

As mentioned above, if commitment is only from certain parties and a range of other parties (management disciplines) are not committed, the organization has not gained a lot of track on the path to organizational resilience. For example, if there is no risk management, no strategic planning and no quality management, the organization might still be quite vulnerable. A sign of a holistic approach certainly is: as many management disciplines as possible are well developed and working together in synergy.

How important is the risk management among this list?

Managing risks is very important. This means that the organization needs to constantly monitor the risk landscape and establish specific management disciplines to properly deal with these risks and their impacts. Examples are: BCM, information security management, physical security management, supply chain management and other.

Business Impact Analysis Q&A

Some interesting questions concerning the Business Impact Analysis (BIA) emerged during the 6 May 2015 and 10 September 2015 Webinars with a total of over 250 participants; here are the answers.

Organizational Resilience Q&A

QUESTION

ANSWER

What would be a practical approach for validation of different risk plans of Business Continuty of an organization (manufacturing)?

If I understand risk plans as risk assessments, a way for their validation would be to compare assumptions and scope, as well as differing view points of the authors. Also, discussing different results may lead to a better understanding and validation.

What was the name of the tool presented during the Webinar?

Sokrates Maps, see www.sokratesgroup.com

Do Sokrates maps also define/allow to define RTO & RPO by using the historic data?

Sokrates Maps certainly help record, discuss and consolidate RTOs and RPOs stated by different interested parties during a BIA process. Historic data can be used to help defining (estimating) RTOs and RPOs.

Does the standard ISO 22317 require a business process approach for BIA review?

The standard is non-binding (such as ISO 22301, which is binding) but “just” recommendations based ongood practices.

As such the standard ISO 22317 does not specify requirements, however, a business process approach is highly reasonable and recommended in the standard.

In companies with operational risk management team shouldn’t this kind of information be coming from them?

Information from an existing risk management team/group is welcome. However, as stated in my presentation, risk management seldom if ever specifies increasing impact over time, and the maximum recovery time (RTO).

It seems FMEA techniques would be a good way to assign risk priorities based on the assessment of potential impact

This is correct. However, in BCM, we rather concentrate on impact than on risk. For example, it does not matter (for availability, or downtime) if my factory had been destroyed by a low-probability flood or medium-probability fire: if the resource is lost (for months) I have to deal with this impact…

Can an organization be certified against the new ISO 22317 BIA standard?

No, the only standard to be certified against in BCM is ISO 22301. The BIA standard ISO 22317 is a so-called TS (technical specification) helping to perform a correct and complete BIA. As such, it certainly supports an organization in obtaining certification against ISO 22301. It can be assumed that certification auditors in the future will also take into account if ISO 22317 was followed when implementing a BCMS according to ISO 22301.

Who will ensure an audit of the processes, for accountability purposes?

The only standard to be certified against in BCM is ISO 22301. The BIA standard ISO 22317 is a so-called TS (technical specification) helping to perform a correct and complete BIA. As such, it certainly supports an organization in obtaining certification against ISO 22301. It can be assumed that certification auditors in the future will also take into account if ISO 22317 was followed when implementing a BCMS according to ISO 22301.

Which are some options to determine the RPO and RTO?

Roughly, RTO is to be determined according to what impact (loss of life and limb, financial, reputational,..) a process owner or an organization is willing to take.

For RPO as maximum allowable data loss, similar criteria apply.

Who are the major stake holders to be involved during the process and development of BIA

ISO 22301 and 22313 use the terms of stakeholders and interested parties, typically comprising, but are not limited to customers (internal and external), staff, neighbors, suppliers, regulators, government, etc.

What is the main difference between risk assessment and BIA?

As stated in my presentation, risk management seldom if ever specifies increasing impact over time, and the maximum recovery time (RTO). For example, the BIA helps determining the time frames for making available work area recovery (alternate office) requirements. Also, RPO is a value determined in BIA, and rarely if ever in a risk assessment.

What is the main advantage of the ISO/TS 22317?

It provides a framework to organize and perform a BIA. While documentation and publications on BIA exist, the ISO/TS 22317 is the work of global experts of ISO TC/292 (formerly ISO TC/223) who all contributed their knowledge and experience to compile this standard. I am honored to be part of this working group.

Determination of impacts in BIA looks like determination of impacts in risk assessment?

Yes, there are similarities. As stated in my presentation, risk management seldom if ever specifies increasing impact over time, and the maximum recovery time (RTO). For example, the BIA helps determining the time frames for making available work area recovery (alternate office) requirements. Also, RPO is a value determined in BIA, and rarely if ever in a risk assessment.

I did not get exactly the explanation on the identification of requirements, what are you referring to?

The core of the BIA is to determine what would hurt most if I “lose” it. Requirements typically include how long I can afford not to deliver key products or services, or if I can afford not to deliver them at all. In other words, how fast do I require that these products or services need to be made available again (by restoring underlying processes)

In your opinion, is it better if the BIA is conducted internally or using external resources?

It is advisable to use both types of resources: internal resources provide vital internal know-how of processes, resources and their interdependencies. External resources (consultants) provide guidance and methodology and solution experience carried over from other projects. Internal resources need to be trained in courses like the PECB ISO 22301 Lead Implementer course.
See http://continuuuity.ch/training

What level of granularity/detail should the BIA activity process go to?

We need to drill down to the lowest level of dependencies. For example, an application needs a database, a server with an operating system, a housing with cooling, finally, electricity. If IT is outsourced, we still need to be assured by the provider, ideally by asking for their BCM approach. Ideally, they should be ISO 22301 certified.

How do you balance the importance of sharing the BIA findings, in a huge contribution base and keeping the companie’s vulnerabilities confidential? Having access to a BIA will allow an adversary to easily target an organization?

You are right, the BIA results are highly confidential, as they would be an ideal guide for an attacker to launch an attack. BIA findings are only to be shared on an anonymous base, and this kind of information is available in data bases. External consultants bound by NDAs play major role in making organizations aware of commonly found vulnerabilities.

How does the ISO 22301 standard encompass the newer areas like cyber security management?

The standard mandates that significant risks, vulnerabilities and threats to the organization need to be addressed and does not spell out an exhaustive list. It rests within the responsibility of the organization to identify to identify these issues.
When performing a BIA, we need to reach out (get information from) all relevant key players within the organization (e.g. process owners) to get a sufficient insight.In this example, the IT department and/or the CSO would be expected to raise the subject.

Do we need to take only business critical functions into consideration or would it be scoped based on the objectives on goals of the organization?

I assume that the business critical functions by definition support the goals of the organization.One of the main challenges of a BIA is to identify (all) those critical functions.

What is the BIA tool being used?

I presented a tool called Sokrates Maps.See www.sokratesgroup.com.

Collecting BIA is one thing but the next problem is collating the information. Do you have any advice on how best utilize the information to meet the BCM needs of the organization?

You are right, after the collection, we need to collate, evaluate and put into context of the information.One of the big challenges during a BIA is to determine the “real” needs of the organization, as different parts of the organization often have varying needs.
So we often end up with an iterative approach.

Collecting information in a BIA can be challenging. Do you have any advice on how to ensure that all areas of the business processes are captured accurately?

You are right. I think we need a multi-pronged approach:
– Strategically select interview partners for information gathering
– Cross-check and evaluate the information provided for disparities, contradictions and missing information
– Use a tool-based approach to manage and distribute information

How is ISO expected to be integrated within the organization? Is this something that will be followed once ISO 22301 has been obtained or followed in conjunction with the ISO 22301 standard?

If an organization plans to be certified against ISO 22301 it needs to implement a BCM approach based on this standard, adhere to its “spirit” and approach a certification body.
Key is a trained team of in-house specialists in order to successfully start the implementation in the first place. continuuuity offers both in-house and public training courses.